The U.S. Treasury Department’s Foreign Assets Administration Department (OFAC) approved members of a North Korean hacking group called Andariel on Tuesday for their role in the infamous Remote Information Technology (IT) worker scheme.
The Treasury Ministry said Song Kum Heeok, a 38-year-old North Korean national with an address in Jiling Province, China, has enabled fraudulent operations by using foreign employed IT workers to seek remote employment with US companies and planning to split their income with them.
Between 2022 and 2023, the song is said to have created aliases for hired workers using the identity of people in the United States, such as names, addresses, and Social Security numbers.
The development comes days after the US Department of Justice (DOJ) announced a sweeping measure targeting the North Korean Information Technology (IT) worker scheme, leading to the arrest of one individual and the seizure of 29 financial accounts, 21 fraudulent websites and nearly 200 computers.
Sanctions have also been imposed on Russian citizens and four entities involved in the Russian-based IT workers scheme, which North Koreans contracted and hosted to stop malicious operations. This is –
Gayk Asatryan, who used Russia-based company Asatryan LLC and Fortuna LLC to employ North Korean IT workers Songkwang Trading General Corporation, has collaborated with Asatryan to sign a contract with Asatryan LLC South Korea’s Saenal Saenal Trading Corporation.
Sanctions are only marked when threat actors linked to Andariel, a subcluster within the Lazarus group, are tied to IT worker schemes that have become important illegal revenue streams for the nation of sanctions orders. The Lazarus Group is credited with partnership with the Democratic Republic of Korea (DPRK) Reconnaissance General (RGB).
The action “emphasizes the importance of vigilance against DPRK’s continued efforts to secretly fund the WMD and ballistic missile program,” said Michael Foulkender, deputy secretary of the Treasury Department.
“The Treasury is committed to using all the tools available to disrupt Kim. [Jong Un] The administration’s efforts to avoid sanctions through digital property theft, attempts to impersonate Americans, and malicious cyberattacks.”
The IT Worker Scheme, also tracked as Nickel Tapestry, Wagemall, and UNC5267, includes using North Korean actors to acquire employment with US companies as remote IT workers with the goal of portraying complex skin-based pay using a mix of stolen fictional identities.
The insider threat is just one of many ways Pyongyang has adopted to generate revenue in the country. Data compiled by TRM Labs shows that North Korea is behind about $1.6 billion of the total $2.1 billion stolen as a result of 75 cryptocurrency hacks and exploits in the first half of 2025 alone.
While most of the measures taken to combat the threat have been ostensibly born from US authorities, DTEX principal I3 insider risk investigator Michael “Barni” Burnhart told Hacker News that other countries have stepped up and acted similarly, promoting awareness among a larger audience.
“This is a complex, cross-border issue with many moving parts, so international collaboration and open communication are extremely useful,” says Barnhart.
“As an example of the complexity with this issue, North Korean IT workers could be physically located in China, employing front companies posing as Singapore-based companies, contracting with European vendors serving US clients. That level of operational layering highlights the effective counter-struggle of joint research and intelligence sharing.”
“The good news is that awareness has increased significantly in recent years and we are now seeing the fruits of that labor. These initial recognition steps are part of a wider global change to recognize and actively disrupt these threats.”
Sanctions of the Sanctions Dovetail reportedly a group located in North Korea tracked as Kimsuky (aka APT-C-55) using a backdoor called Happydoor in an attack targeting South Korea’s presence. According to Anlab, Happydoor is being used back to 2021.
Malware, normally distributed via spear phishing email attacks, has steadily improved over the years, allowing you to collect sensitive information. Run commands, PowerShell code, and batch scripts. Upload the files you are interested in.
“Threat actors who are primarily responsible for teaching and academic disguises use social engineering techniques such as spear phishing to install backdoors with attachments and distribute attachments that may install additional malware.
Source link
